Ctrl Wallet

The wallet breaks the connection and fails to process the wallet_watchAsset RPC endpoint properly, yet it still requires user confirmation for other DApp requests.

It lacks an embedded browser.

Require the user to unlock the wallet before processing each DApp request.

The wallet doesn't refuse to sign an EIP-712 message with a chainId that does not match the currently active chain.

The wallet used personal_sign, converted to bytes.

The wallet does not warn users of a domain or scheme mismatch when signing SIWE message.

The wallet displays a list of connected DApps and allows users to revoke access either individually or all at once.

The wallet doesn't offer the ability to list and revoke token approvals via in-app functionality or links to external DApps.

The wallet switches chains without requiring user confirmation.

The wallet does not display incoming or outgoing assets for pool requests but clearly shows them for swap requests.

The wallet doesn't provide a clear interface for users to review the approved transaction details. The wallet only displays the approval contract, not the spender.

The wallet displays large messages in personal sign requests without truncation and shows the verifying contract in the EIP-712 object.

The wallet displays EIP-712 objects as plain data without parsing them.

The wallet allows transactions to addresses with invalid checksums by auto-correcting them when provided by a DApp, but the transaction doesn’t go through. When the address is entered manually, it shows an invalid address alert.

The sign button is available from the start.

The wallet provides clickable links in both historical transactions and transaction previews.

The wallet prompts the user's face id before displaying the recovery phrase.

The wallet doesn't include a manual lock option within the settings menu.

The wallet includes an auto-lock feature, but it takes more than a minute.

The wallet supports biometrics and mandates its use once enabled, without requiring a password or passcode.

The wallet allows copying mnemonics or private keys to the clipboard without adequately warning about the risks or limiting their duration.

The wallet provides a clear warning about the risks of sharing mnemonics and private keys before revealing them. It also requires users to check a box confirming they won’t share them.

The wallet doesn't alert about connections to known phishing DApps.

The wallet does not alert users when sending funds to known phishing addresses, such as the Tornado Cash attacker address when using the DApp.

The wallet informs users when they are interacting with well-known, verified URLs (DApps) like Uniswap.

The wallet does not warn the user when trying to send funds to an unknown address.

The wallet doesn't display the full URL of the DApp without truncation when users attempt to connect.

The wallet effectively filters out spam and scam NFTs.

The wallet notifies users in the connection dialog that connecting allows the DApp to access their balance, and activity, and request transaction approvals.